retirement plan cybersecurity risks - popular, inc
TRANSCRIPT
WHAT YOU NEED TO KNOW
Retirement Plan Cybersecurity Risks:
Dai
sa R
ive
ra • joined Popular Fiduciary Services in 2012 and is responsible for providing advice on the legal matters as they apply to the division's fiduciary responsibilities, products and services. While working at Popular, Daisa successfully completed a master’s degree in Public Administration and achieved a certification as a Retirement Services Professional. Before joining Popular, Daisa worked at the House of Representatives where she served as legal advisor.
Ch
rist
ian
Ro
chet
• is Vice President to Rochet Business Technologies, a local firm which offers information security advisory services and assistance in information technology and cybersecurity for small and medium businesses. He is a certified IT Security Manager and member of the Information Systems Audit and Control Association (ISACA).
Jeff
Fo
ltz • Is Popular’s CISO and a Senior
Executive with over 25 years leading IT & Cybersecurity initiatives for major financial institutions. His prior work includes Fortune 500 companies and global financial institutions during his career such as, Fidelity National Financial & Deutsche Bank where he served as the CISO, Global Red team and Vulnerability program management. He leads top-level cybersecurity governance strategy, integrating governance into overall business strategy, and advises Board of Directors on cyber risks and security standards for all platforms. He specializes in threat intelligence, risk identification & mitigation, business continuity, & vendor risk management.
Meet the Team
Cybersecurity is a Fiduciary Duty
In 2016 the ERISA Advisory Council issued the Cybersecurity Considerations for Benefit Plans
Plan fiduciary must develop policies and procedures
Prudently select and monitor service providers
Continue to educate fiduciaries
Consider acquiring cyber-liability insurance
Act wisely in responding to a breach
Cybersecurity is a Fiduciary Duty
There’s no comprehensive federal law
governing cybersecurity for retirement
plans
ERISA is silent on how to manage
cybersecurity risks
ERISA fiduciaries are held to a very high
standard of behavior
Undivided loyalty
Prudence
Cyber Threat Landscape 2020
Trends and Response Actions
Cyber Threat Landscape 2020 Trends and Response Actions
Prior Year Review Points
Technical Safeguards
Administrative Safeguards
21
Defense in Depth is designed with the idea to
defend a system against any particular attack using
several, varying methods. It is a layering tactic, conceived by the National Security Agency (NSA)
as a comprehensive approach to information
security.
“Defense in Depth” is a military strategy that seeks to delay, rather than prevent, the advance of an
attacker by yielding space in order to buy time.
Application
Security
Due Diligence
Data Loss
Phishing Simulations
28% of the Breaches in 2019 Involved Small Business Victims
85% of MSPs Report Ransomware as the Biggest Malware Threat to SMBs in 2019
63% of SMBs Report Experiencing a Data Breach in the Previous 12 Months
70% of SMBs’ Employees Passwords Were Stolen or Lost
Current Trends in SMB Cyber Security Statistics
https://www.thesslstore.com/blog/15-small-business-cyber-security-statistics-that-you-need-to-know/
Current Trends in SMB Cyber Security Statistics
Weakness
Threats
Defense
• Credentials (52%) Represents the Most Compromised Type of Data in 2019.
• 22% of SMBs Switched to Remote Work Without a Cybersecurity Threat Prevention Plan.
• 47% of SMBs Report Keeping Data Secure as Biggest Challenge.
• Phishing Is Top Threat Action for More Than 30% of Small Organizations.
• 83% of Data Breaches Against SMBs are Financially Motivated.
• 74% of SMB Data Breaches Involve External Threat Actors.
• 43% of SMBs Lack Any Type of Cybersecurity Defense Plans.
• One in Five SMBs Don’t Use Any Endpoint Security Protections.
• 60% of SMB Choose to Keep Their Heads in the Sand About Attack & Breach Risks.
43%
The Numbers…
43% of cyber attacks target small
businesses.
60%
60% of small businesses that are victims of a cyber
attack go out of business within six
months.
424%
There was a 424%increase in new small
business cyber breaches last year
Of SMBs are have
experienced a cyber
attack, costing the business $53,987 on
average.
Of SMBs agree they
lack the in-house skills
needed to properly deal with cyber
security issues
Of SMBs are worried
that they will be the
target of a cyber attack in the next
six months.
52%
Of SMBs feel helpless
to defend themselves
from new forms of cyber attacks.
62% 80% 64%
The Numbers…
https://www.cyberianit.com/cybersecurity/
Cyber Threat Landscape in 2020
Protecting electronic devices and associated data and
information.
ReputationCustomers and
employees expect and trust you to keep their
information secure.
Business CostAttacks can be extremely costly and threaten the vitality of your business.
Vulnerability Attackers can see
small businesses as easy targets.
Small Business, Big Impact
What are you protecting?
Identify the value of
these assets.
Document the impact to
your business of loss or
damage to the assets.
Identify likelihood of
loss or harm.
Prioritize your
mitigation activities
accordingly.
Identify your
business assets.
To practice cybersecurity risk
management, you can start
with these steps:
https://www.cyberianit.com/cybersecurity/
Cyber Kill-Chain: Attack progression
The Cyber kill chain was put forth by Lockheed Martin, where the phases of
a targeted attack are described.
Just one mitigation disrupts
the chain and the
adversary.
The adversary must progress
successfully through each
stage of the chain before it
can achieve its desired
objective
What are the threats businesses face?
Phishing Attacks
Ransomware
Imposter Scams
Insider threats
Geopolitical threats
System misconfigurations
Environmental Events
Cyber Security Threats
Ransomware & Double-Extortion Ransomware
Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment.
Ransom often needs to be paid in cryptocurrency, though even if you do pay there is no guarantee you will get your data back.
Double Extortion is the threat to expose the data to the public on the internet. This is a shaming tactic.
https://www.keepnetlabs.com/top-11-ransomware-attacks-in-2020-2021/
• Firewalls, antivirus, & endpoint security solutions
• Network penetration testing
• Cyber security audits
• Computer use, device, & password policies
• Keep current with patches and security standards (TLS 1.2, Java, Flash player)
• Employee cyber security awareness training and phishing simulations
• Access management, control policies & procedures
• Email /Cloud security solutions (such as anti-phishing solutions, spam filters, email signing certificates [S/MIME certificates])
• Incident response and disaster recovery plans
• Maintain current data backups & test restores
Protecting Your Business from Cyber Security AttacksCreate multi-layered protection to include:
Remote Access – Work From Home
Other devices in a home network
Risks: Outdated WIFI Router Software
Unpatched PC’s or tablets
Weak WPA2 credentials
No PC protections like Firewalls, Antivirus and configured properly
Threat Vector:
Something you know …
Implement VPN & Multi-Factor Authentication
Something you are…
Debit Card
Something you have…
Password
Biometrics
Factors are:
Small Business
Perspective
On
Cybersecurity
Key Realities for SMB’s:
Forty-three percent of cyberattacks are aimed
at small businesses, but only 14% are prepared
to defend themselves, according to Accenture.
These incidents now cost businesses of all sizes
$200,000 on average, reveals insurance carrier
Hiscox.
More than half of all small businesses suffered a
breach within the last year.
Today it’s critical for small businesses
SMALL
BUSINESS
PERSPECTIVE
ON
Cybersecurity
▪ Key Realities for SMB’s:
▪ https://www.thesslstore.com/blog/15-small-
business-cyber-security-statistics-that-you-need-
to-know/
Small Business Perspective On Cybersecurity
Yet…
SMB’s do not have the resources of larger companies:
Usually one or two IT staff, if at all
Jacks of all trade (masters of none)
No dedicated IT Security functions
Very little budget, allocated to core business needs.
SMB’s are as responsible to the DoL and other regulatory agencies as the big boys are;
As said before by Daisa: “ERISA fiduciaries are held to a very high standard of behavior”
Then, what do we do?
Small Business
Perspective
On
Cybersecurity
Leverage Best Practice approach to Cybersecurity
NIST (National Institute of Standards & Technology) https://www.nist.gov/itl/smallbusinesscyber
SANS Institute https://www.sans.org/blog/resources-for-small-businesses/
SBA Small Business Administration https://www.sba.gov/content/introduction-cybersecurity
Banco Popular Fiduciary Services. Yes!, ask them.
Start at the beginning
Draft a set of IT Security policies. Or better yet, borrow them (NIST, SANS, etc.).
Implement and use those policies as a starting point or baseline.
Do a simple gap analysis: What do I need per the policies that is now missing?
Start putting the pieces of the puzzle together.
Small Business
Perspective
On
Cybersecurity
To get started: Get help. Contract with a reputable firm that is
focused on your size/industry
When drafting your policies, take as many applicable regulatory requirements into consideration as possible. In other words, kill as any birds with as few stones ($$) as you can.
Leverage the Cloud as much as feasible. Still, do your due diligence and read the small print.
Stick to industry standard solutions and approaches but look for value and size appropriate solutions, not just brands.
Automate as many processes as possible, so that you don’t have to dedicate staff that you don’t have to monitor events. Leverage AI and get distilled, actionable information.
Keep all your staff appraised of what you are doing and why. They can be your weakest or strongest link, it up to you. In other words, train the hell out of them!
Small Business Perceptions on Cybersecurity
Avoid pitfalls…
▪ Don’t think: “I’m too small to be a target of a cyber attack”. (refer to our first slide, the scary stuff).
▪ Don’ try to do it all at once. Start small and allow time to absorb the new tech.
▪ Don’t let your system get too old. Keep renewing it. An EOL or End-of-Life equipment is a vulnerable one.
▪ Don’t fall behind in your patching. Unpatched systems are vulnerable systems.
▪ Don’t make you backup/replication processes an afterthought of your business. Make it a central piece of it.
▪ Don’t setup your security and forget about it. Review it regularly.
▪ Avoid esoteric solutions. Stick to industry standards. This applies to IT in general and IT Sec in particular.
▪ Speaking of which, even if you don’t have many people in your IT staff, designate someone to work hand in hand with management to work on these issues. Call them your Cyber Security Team and listen to them.
▪ Even if you have what you think is a pretty decent cybersecurity strategy in place, don’t get too complacent. Test it!. Contract a penetration test at least annually and expect to have weaknesses found and vulnerabilities exposed. If everything is fine… it probably isn’t.
▪ And remember, for most companies is not a matter of if, but when they are going to be hit with an attack.
Do you have any questions?
Thank You